DevOps: 

The  Fast, 
The  Furious 
The  Secure. 
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Sr.  Director  of  Product  Security  at  Target 


Background 

Former  Application  Security  Director  for  Capital  One 
Former  Web  Application  Security  SME  for  JPMorgan  Chase 
Former  Security  Consultant  for  Protiviti 
Semi- Active  Security  Geek 


Education 

B.S.  Information  Science  and  Technology 
M.S.  Information  Assurance 

Certifications 


PennState 


NORWICH 

UNIVERSITY" 


CISSP,  SSCP,  CEH,  CPT 


What  is  DevOps?  Where  do  we  put  Security? 
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The  Traditional  Approach  to  Application  Security 

Gate-based  Waterfall  Methodology 


Search  Engine  Image  Results  for 


Embedding  security  earlier  - Moving  To  The 
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Planning  requires  intelligent  requirements 


• Threat  Modeling 


Accessible  Guidance 

• Agile  Security  Stories 

• Secure  Coding  Guidelines 

• Security  Engineers 

• Technical  Training 

Open  Training  Opportunities: 

• AppsecTutorialSeries  (YouTube) 

• www.SafeCode.org 
Open  Training  Labs: 

• WebGoat 

• HackMeBank 

• DVWA 

• Facebook  CTF? 
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As  code  is  developed,  security  is  embedded 


• IDE  Plug-ins 
• Self-Service 


• Components  & Frameworks 

• OWASP  Dependency  Check 

• Google  Search  Diggity 


• ESAPI 

• .NetAntiXSS 

• Conceal 


Trust  & Empowerment  Trumps  Security  Gates 


• Smart  Automation 

• Hudson/Jenkins 

• Controlled  Scanning 

• On-demand 

• Time-based 

• Change-based 

• Static 

• Findbugs-Security 

• FxCop 

• Brakeman 

• SonarQube 

• Dynamic 

• nogotofail 

• OWASP  ZAP 

• W3af  / Nikto 

• OpenVAS 

• Chaos  Monkey 
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Targeted  Testing  Must  Be  Performed  By  Experts 


Penetration  Testing 

• Targeted  Abuse  Cases 

• Risk  Based  Testing 

• Feature  Based  Assessments 
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Hardened  Images  Enable  Faster  Deployment 


• Build  Automation 

°s 

• Chef  - Audit  Mode 
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Puppet  - Security  Integrity 
Management  Platform 
docker 

Docker  - Docker  Security  Scanning 
• ...subscription  service? 
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Continuous  Monitoring,  Continuous  Protection 


Continuous  Monitoring 

• Sonar 

• Hygieia 


API  Everything! 
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DependometerMaven  Plugin  Sample  j 


Version  0.0.1  -SNAPSHOT  - Freitag,  15.  Januar  201 0, 1 5:37  Uhr  - profile  Sonar  wav 


Lines  of  code 

116 

626  lines 


Classes 

11 

6 packages 

7 methods 
-HD  accessors 


Comments 

Duplications 

8,7% 

0,0% 

11  lines 

0 lines 

53,3%  docu.  API 

0 blocks 

7 undocu.  API 
0 commented  LOCs 

0 files 

Complexity 

1,0  / method 

0,6  / class 
7 cmpx 
11  statements 


Code  coverage 

o,o% 

0,0%  line  coverage 
100,0%  branch  coverage 
0 tests 
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Dependorneter  Analysis 
MaxDepthOfTypelnheritance:  1 

Help 

Read  configuration  : sonar 
Sample  of  Jfree  Eastwood  chart  : 
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Version 


0.0.1-SNAPSHOT 


Key  : com. valtech. source. dependometer:dependometer-maven- 

plugin-sample 

Language  : java 


Take-Aways 

• Development  Operations  + Security  = DevOps 


Key  security  practices  need  SMEs,  but  many  can  be  automated 
Security  doesn’t  have  to  be  expensive... 

Full  Stack  Ownership  includes  Security 


Q fit  A now  or  later  - @TySbano 


